European Union General Data Protection Regulation: Its Impact in the USA
August 21, 2018
The European Union General Data Protection Regulation (“GDPR”) introduces substantial changes to protection of personal data. The GDPR sets forth rules relating to the protection of individuals with regard to processing of their personal data and rules relating to the transfer of such personal data. With the GDPR’s reach extending well beyond the borders of the European Union, companies outside of the European Union must review and update their data privacy policies and practices. Yet, while the GDPR became effective on May 25, 2018, reports at that time indicated that many companies in the United States had not yet implemented the new regulation.
The GDPR replaces Directive 95/46/EC on personal data that dates back to 1995. Over the past two decades, new technologies has been introduced into the marketplace. Examples include Youtube®, Facebook®, Twitter®, and Instragram®, as well as Apple’s iPhone®. Individuals today have a personal mobile device from which they can routinely and easily share personal information with thousands, if not millions of people, at the push of a button, all from such personal mobile device. As an example, approximately two billion Facebook users share their personal data, some of them on a daily basis.
The GDPR applies to companies processing personal data related to the offering of goods and services into the European Union, or related to monitoring the behavior of individuals in the European Union. These new regulations apply to companies that transfer, process or use of the personal data of EU residents outside of the EU. The GDPR continues the European Union’s horizontal approach to protection of personal data – meaning that the laws apply across all industries. Such approach has been adopted in other countries such as Canada and Australia. In contrast, the United States generally follows a more vertical approach to data protection – meaning a sector focused approach.
The GDPR defines personal information broadly. Personal information is information that may be used to identify a person as an individual, by reference to an identifier, including for example, name, physical or other address, telephone number, electronic mail address, identification number, online user name, location data, economic, cultural or social identity, and other similar information.
Under the GDPR, processing is lawful for codified reasons, for example, if the company is processing the personal data for the performance of a contract with the individual, or when the individual gives consent, or to meet a legal obligation. Where processing is based on one’s consent, such consent must be freely given, informed and unambiguous, requiring a statement or clear affirmative action, such as checking a box.
Individuals have fundamental rights under the GDPR. The rights include, as an example, the right to access, correct and delete one’s personal data, and the right to restrict processing of their personal data. Individuals can also withdraw their consent previously given.
The GDPR addresses privacy rights of children. Parental consent is required to process date of children under the age of sixteen. European Union member countries may individually set the age as low as thirteen years.
Notice upon certain breaches of personal data breach must be made within 72 hours of becoming aware of the breach, where feasible, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, you must also inform those individuals without undue delay.
To comply with the GDPR, companies should begin by performing a personal data assessment to determine what personal data the company collects and where and how such personal data is stored. With the today’s implementation of cloud services, personal data may not necessarily be stored at a company’s facilities.
When a company hires an outside service provider who processes the personal data, then such relationship should be governed by a subcontract. These subcontracts should be reviewed and updated to assure that the outside service provider is GDPR compliant and to include the standard contractual clauses set forth in the GDPR, as necessary.
Of course, the privacy policy on the company’s website should be reviewed and updated. Several updates should include clear definition of the means of collection of personal information and a listing of the individual’ rights with respect to one’s personal data.
In conclusion, the European Union’s GDPR has expanded the protections for personal data to address the volumes of personal data that are being shared today versus two decades ago. Companies in the United States may be subject to the GDPR and need to take steps for compliance. Personal data privacy policies and practices need to be updated.
1 Vasilios Peros is founder and principal of Law Office of Vasilios Peros, P.C. His practice is focused primarily on business, technology and intellectual property law. He has been recognized as one of Greater Baltimore’s top attorneys, including SmartCEO’s 2016 Centers of Influence, 2015 CPA + ESQs, 2014 Power Players, and Legal Elite in 2011, 2010 and 2009. He can be reached at (410) 274-2053 and VPeros@PerosLaw.com.
2 This article is provided for informational purposes only and should not be construed as a legal opinion or legal advice. The reader should not rely on this article in making business, legal or other decisions on any matter without first consulting an attorney regarding any such decision or undertaking.